Stagefright: Arguably the Worst Security Hole in the Android OS to Date

More than a month ago, this blog posted a report on a vulnerability in iOS that makes a device shut down after receiving a text message with a specific set of characters. It appears that the text message bug is not limited to iOS devices. Android devices also have comparable vulnerabilities that can expose them to security problems. If you are an Android device user, you may need to think twice before giving just anyone your number. Someone can initiate a hack attack on your phone by simply sending an MMS to you.

Stagefright

Up to 95% of the Android devices in use worldwide or around 950 million can be compromised with just an MMS message, based on a recent discovery of vulnerabilities in the Android operating system’s source code. These vulnerabilities have been collectively codenamed “Stagefright” and are believed to be among the most severe security flaws discovered in the free mobile operating system from Google. Stagefright has been found to affect the 2.2 (Android Froyo) and later versions of Android. The codename was taken from a vulnerable media library in Android’s source code.

Image credit: Zimperium Mobile Security (website screenshot)

The vulnerabilities were discovered by Joshua Drake of Zimperium zLabs team and were reported in April. Google is said to have already released patches to address these bugs but Drake thinks that most device manufacturers have not undertaken efforts to fix the issues. As such, devices running Android 2.2 or newer are to be assumed vulnerable. The vulnerabilities, identified with their CVE numbers, are as follows: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829.

How Stagefright Works

As mentioned earlier, the bug enables a hacking attack through a text message. All it takes if just one malware-laced Stagefright message to an Android device running Froyo or the more recent Android versions. An exploit or malware can be packaged in a multimedia message (MMS) and sent to the intended victim. Once received, the MMS allows the malware incorporated with it to write a code to the device to steal data from sections with which Stagefright has been granted permissions to access and write.

Possible Hacking Activities

Stagefright is primarily about snooping and data and multimedia content theft. It enables the attacker to obtain information, photos, and videos stored in a device. Also, it can activate the camera to allow the attacker to snap images or videos without the victim’s knowledge. It can likewise grant access the microphone of a device to record audio. Moreover, the Bluetooth feature of a device may also be hacked through Stagefright.

The way Stagefright operates depends on what MMS application is used. Stagefright appears to be most effective when sent through Google Hangouts because, according to Drake, it would immediately trigger even without opening the message and even before the notification is displayed. Hence, it is possible to conduct an attack that is virtually impossible to detect since the message sent to initiate the attack can be deleted by the attacker after the data theft or other hacks have been completed.

In the case of Android Ice Cream Sandwich and the Messenger messaging application, Stagefright triggers after the MMS is viewed even without playing the media content that comes with it.

Drake says that more exploits can be “chained” with the MMS and these can lead to more serious security concerns like elevated privileges, which can allow the attacker to go beyond what Stagefright is originally granted rights to access.

Google’s Reaction and Fix

Google is well aware of the vulnerabilities reported by Drake and has already released patches to address the problems. Google also thanked Drake for reporting the bugs. However, these patches will be useless if device manufacturers don’t work on them to release their own patches for the devices they make.

By John Marino from Pittsburgh, The fine US of A (Googleplex Uploaded by GrapedApe) [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons

Google’s patches cannot be directly sent to devices that use skinned or manufacturer-customized versions of Android. As of this posting, leading Android makers Samsung, LG, Sony, Lenovo, and Motorola have not announced schedules for their patches yet. HTC, however, claims that they have already rolled patches in early July after Google informed them. For Nexus devices, Google says that the security update will be released next week. CyanogenMod, on the other hand, has already released their Stagefright fix.